skip to content

Faculty of Mathematics

CMS Laptop network - laptop server details

CMS Laptop network -- laptop server details

As of 2010-09-18 we switched to a new laptop server on newer (and faster) hardware, and a more recent base operating system. There should be few user-visible changes. This new setup allowed us to provide various extra facilities.

Please let us know if you find any new problems, or if any of the documentation is incorrect or out of date.

Windows printer drivers

The print server will now also offer drivers to 64-bit Windows machines. These drivers have not been officially released by the CUPS developers but other sites have reported success with them, and they seem to work for the Windows Vista and Windows 7 64-bit users who have tested them here.

Firewall protocol support

Some older protocols no longer have specific support, and may not work as well as they did before. In particular the authors of the GRE NAT support have made it clear that it only really supports PPTP and will not work with anything else (not that much else uses GRE).

The firewall seems to have good support for H323 and SIP, which are commonly used in video-conferencing and phone systems.

Please report any problems you encounter while using the laptop network, we may be able to alter the settings to make things work better - though not all problems may be easy to fix.

New ways to authenticate

The new server should soon support the 802.1x (dot1x) mechanisms for authentication over wired connections. We already use the same underlying system for the eduroam wireless authentication.

Unencrypted Wireless restrictions

Only https forms of authentication may be used from the wireless service.

Attempting to authenticate over http from such a network will result in being redirected to an error document describing why this isn't allowed.

Once authenticated to the wireless service, connectivity is restricted to just:

  • http web access (on tcp port 80) - insecure
  • http-proxy web access (on tcp port 8080) - insecure
  • https web access (on tcp port 443)
  • ssh access (on tcp port 22)
  • imaps (secure imap) access (on tcp port 993)
  • pops (secure pop) access (on tcp port 995)
  • smtps (secure smtp) access (on tcp port 465)
  • ldaps (secure ldap) access (on tcp port 636)
  • IPsec IKE (isakmp) (on udp port 500)
  • IPsec/NAT-T (on udp port 4500)
  • OpenVPN (on udp/tcp ports 1194)
  • dhcp (IP address) access (on udp port 67 -- only to lapserv)
  • dns (name lookup) access (on udp port 53 -- only to lapserv)
  • ntp (time setting) access (on udp port 123 -- only to lapserv)
  • daytime (time setting) access (on tcp and udp port 13 -- only to lapserv)

Experimentally we are also currently allowing the following to permit printing from the wireless service:

  • samba access (on udp port 137, 138 and tcp ports 139, 445 - only to lapserv)
  • ipp CUPS/IPP printing access (on tcp port 631 - only to lapserv and associated local CUPS servers)
  • lpd (traditional unix printing) (on tcp port 515 - only to lapserv)

In addition a small number of email related services are partly permitted. Connections to these services are filtered through code which permits only a limited set of commands, to try to avoid insecurities.

Where possible mail clients should be configured to use the ports listed above, e.g. imaps on port 993 and smtps on port 465, but if the client cannot be configured to use them then it is worth trying to configure the client to require STARTTLS on the following ports:

  • imap access (on tcp port 143)
  • msp (message submission) access (on tcp port 587)
  • smtp (for mail submission) access (on tcp port 25)

Note that smtp is very likely to be blocked at various firewalls anyway so use of smtps or msp is strongly encouraged. Some sites also block access to the imap ports too so you may prefer to configure clients to use the imaps port.

We only permit the full range of mail commands to be issued once the mail client has performed a STARTTLS (enabling encryption) on the connection. Failure to configure clients to perform STARTTLS may result in incomprehensible error messages, and for broken clients (such as some versions of the Mac OSX Mail app) may expose your password -- you have been warned!

Because these services are being filtered, the performance will be poor and the code may cause problems for some mail clients. It is only intended for use by clients which cannot be configured to use mail services like imaps and smtps - which are always secure.

Once we have done more testing it is possible that some extra services may be permitted. Note that this is primarily intended for those who have fairly basic needs - we provide wired connections in offices and meeting rooms etc and to obtain details needed to use the eduroam wireless service.

The Unencrypted wireless can also act as a provisioning network for the eduroam network - e.g. to allow access over https to the information needed to securely configure access to it.

Wireless hotspots at CMS

We have a number of Wireless hotspots in the CMS site providing coverage of common-rooms, some meeting rooms and many of the offices. We also can often provide additional coverage in specific areas if given some notice. e.g. providing an additional Access Point for specific rooms during a conference which needs extra coverage.

We currently are using Cisco 1130-AG Access Points which support both the A and B/G wireless bands and can provide multiple independent networks (technically ESSIDs) so can be used to provide access to Wireless networks with different access-control and security policies.

The same set of access-points also currently provide access to the UCS UniOfCam service which is also an unencrypted/open wireless service and so places many of the same restrictions on what services may be used.

Wired Network Restrictions

Summary: most network traffic is allowed that is initiated by the computer on the laptop network.

Privileged UDP ports (1 to 1024) are blocked.

The eduroam service offered here meets the tier 2 technical requirements in section 4.5 "IP FORWARDING".

Printing changes

The printing support is provided with CUPS/IPP, and using the Samba-cups support.

As an experiment we are also now allowing access to CUPS/IPP and Samba printing services from the wireless service.

Known Issues

We believe that we have corrected most of the old/existing documentation which referred to things which are no longer true. However, we may have missed some of it.

Please report any problems you encounter, or any mistakes you find in the documentation.

Future improvements

The server provides better functionality than th eold one, for example:

  • Faster throughput -- updated server hardware and faster network links should improve performance; especially at busy times.
  • Wireless -- very limited access over a simple unencrypted setup.
  • Wireless -- eduroam with WPA enterprise authentication.
  • web-based authentication over https on wired and .
  • new IPP based printing support -- especially useful from Mac OSX and Linux clients using CUPS etc.
  • better printing support for modern versions of Windows -- an updated samba server supporting the more recent Windows printing model and support for 64-bit versions of windows.

We hope to be able to extend it to provide:

  • dot1x based autentication on wired ports -- easier and more secure client configuration.
  • support for attaching special-purpose devices to wired lapnet ports -- e.g. maybe printers or video-conference units etc.

In addition it may be possible to support additional protocols and provide some Group specific networks for those who need them.

Revision/change log

Wed Jan  4 19:43:06 GMT 2012: update to be current about what we offer
Sat Sep 18 07:11:42 BST 2010: Installed/switched to new server so update the top etc.
Mon Feb 16 23:10:46 GMT 2009: Minor changes - server is no longer new etc
Wed Feb  4 00:49:53 GMT 2009: mention that we now permit printing from - as an experiment anyway
Thu Oct 11 22:14:19 BST 2007: get document ready for real launch of service!
Tue Apr 17 23:44:28 BST 2007: convert to new 'style' and add info
  about extra new holes (IPsec/OpenVPN), and starttls hacks, document
  existing special cases for dhcp/dns/ntp
Mon Aug 14 21:09:08 BST 2006: add info about new wireless holes etc
Wed Apr 19 04:15:23 BST 2006: add revision log, and another item
Tue Apr 18 05:06:22 BST 2006: add info on insecure.html, expand some bits
Tue Apr 17 23:57:00 BST 2006: initial revision